Firestore security rules in auth less apps

0
votes

I've developed an app which relies on Firestore for storing some user's data. This app doesn't have any login mechanism, as it uses the device UUID as identifier; we're not managing any sensitive data, btw.

I'm getting daily warnings from Firestore regarding the absence of security rules in my database, but as long as I don't have any login mechanism and my users need to both read and write from it, I can't see any way for implementing a useful security rule.

Is there any pattern I could follow in this situation? Is there any way to create a security rule for allowing to only read and write data created by the same user without any user authentication?

Thanks in advance

1
firebasegoogle-cloud-firestorefirebase-security

1 Answers

1
votes

It sounds like you want to identify the user, but then without authentication. My guess is that you want to identify them, without requiring them to provide credentials.

If that is the case, you're looking for Firebase's anonymous authentication provider, which assigns a unique, unspoofable ID to each app instance. Signing in anonymously takes very little code, for example for Android it's:

FirebaseAuth.getInstance().signInAnonymously();

After this call completes, the user has an ID that you can then use in your security rules to identify the data from this user.